Firewalling and Proxy Server HOWTO
Mark Grennan, markg@netplus.net
v0.4, 8 November 1996
This document is designed to teach the basics of firewall systems and
give you some detail on setting up both a filtering and proxy firewall
on a Linux based PC. An HTML version of this document is available at
http://okcforum.org/~markg/Firewall-HOWTO.html
1. Introduction
This original Firewall-HOWTO was written by David Rudder,
drig@execpc.com. I'd like to thank him for allowing me to update his
work.
Firewalls have gained great fame recently as the ultimate in Internet
Security. Like most things that gain fame, with that fame has come
misunderstanding. This HOWTO will go over the basics of what a
firewall is, how to set one up, what proxy servers are, how to set up
proxy servers, and the applications of this technology outside of the
security realm.
1.1. Feedback
Any feedback is very welcome. PLEASE REPORT ANY INACCURACIES IN THIS
PAPER!!! I am human, and prone to making mistakes. If you find any,
fixing them is of my highest interest. I will try to answer all e-
mail, but I am busy, so don't get insulted if I don't.
My email address is markg@netplus.net
1.2. Disclaimer
I AM NOT RESPONSIBLE FOR ANY DAMAGES INCURRED DUE TO ACTIONS TAKEN
BASED ON THIS DOCUMENT. This document is meant as an introduction to
how firewalls and proxy servers work. I am not, nor do I pretend to
be, a security expert. I am just some guy who has read to much and
likes computers more than most people. Please, I am writing this to
help get people acquainted with this subject, and I am not ready to
stake my life on the accuracy of what is in here.
1.3. Copyright
Unless otherwise stated, Linux HOWTO documents are copyrighted by
their respective authors. Linux HOWTO documents may be reproduced and
distributed in whole or in part, in any medium physical or electronic,
as long as this copyright notice is retained on all copies. Commercial
redistribution is allowed and encouraged; however, the author would
like to be notified of any such distributions.
All translations, derivative works, or aggregate works incorporating
any Linux HOWTO documents must be covered under this copyright notice.
That is, you may not produce a derivative work from a HOWTO and impose
additional restrictions on its distribution. Exceptions to these rules
may be granted under certain conditions; please contact the Linux
HOWTO coordinator.
In short, we wish to promote dissemination of this information through
as many channels as possible. However, we do wish to retain copyright
on the HOWTO documents, and would like to be notified of any plans to
redistribute the HOWTOs.
If you have any questions, please contact Mark Grennan at
<markg@netplus.net>.
1.4. My Reasons for Writing This
Even though there were a lot of discussions on comp.os.linux.* over
the past year about firewalling, I found it difficult to find the
information I needed to setup a firewall. The original version of
this HOWTO was helpful but still lacking. I hope this beefed up
version of David Rudder's Firewall HOWTO will give everyone the
information they need to create a functioning firewall in hours, not
weeks.
I also feel I should return something to the Linux community.
1.5. TODO
· Give some instructions on how to setup the clients
· Find a good UDP proxy server that works with Linux
1.6. Further Readings
· The NET-2 HOWTO
· The Ethernet HOWTO
· The Multiple Ethernet Mini HOWTO
· Networking with Linux
· The PPP HOWTO
· TCP/IP Network Administrator's Guide by O'Reilly and Associates
· The Documentation for the TIS Firewall Toolkit
Trusted Information System's (TIS) web site has a great collection of
documentation on firewalls and related meterial. http://www.tis.com/
Also, I am working on a security project called I am calling Secure
Linux. On the Secure Linux web site I am gathering all the
information, documemtation and programs you need to create a trusted
Linux system. Email me if you would like information.
2. Understanding Firewalls
A firewall is a term used for a part of a car. In cars, firewalls are
physical objects that separate the engine from the passengers. They
are meant to protect the passenger in case the car's engine catches
fire while still providing the driver access to the engine's controls.
A firewall in computers is a device that protects a private network
from the public part (the internet as a whole).
The firewall computer, from now on named "firewall", can reach both
the protected network and the internet. The protected network can't
reach the internet, and the internet can not reach the protected
network.
For someone to reach the internet from inside the protected network,
they must telnet to firewall, and use the internet from there.
The simplest form of a firewall is a dual homed system. (a system with
two network connections) If you can TRUST ALL your users, you can
simple setup a Linux (compile it with IP forwarding/gatewaying turned
OFF!) and give everyone accounts on it. The can then login to this
system and telnet, FTP, read mail, and use any other service you
provided. With this setup, the only computer on your private network
that knows anything about the outside world is the firewall. The other
system on your protected network dont even need a default route.
This needs re-stating. For the above firewall to work YOU MUST TRUST
ALL YOUR USERS! I don't recommend it.
2.1. Drawbacks with Firewalls
The problem with filtering firewalls are they inhibit the access to
your network from the internet. Only services on systems that have
pass filters can be accessed. With a proxy server users can login to
the firewall and then access any system within the private network
they have access to.
Also, new types of network clients and servers a coming out almost
daily. When they do you must find a new way to allow controled access
before these services can be used.
2.2. Types of Firewalls
There are two types of firewalls.
1. IP or Filtering Firewalls - that block all but selected network
traffic.
2. Proxy Servers - that make the network connections for you.
2.2.1. IP Filtering Firewalls
An IP filtering firewall works at the packet level. It is designed to
control the flow of packets based the source, destination, port and
packet type information contained in each packet.
This type of firewall is very secure but lacks any sort of useful
logging. It can block people from accessing private system but it will
not tell you who accessed your public systems or who accessed the
internet from the inside.
Filtering firewalls are absolute filters. Even if you want to give
someone on outside access to your private servers you can not without
giving everyone access to the servers.
Linux has included packet filtering software in the kernel starting
with version 1.3.x.
2.2.2. Proxy Servers
Proxy servers allow indirect internet access through the firewall. The
best example of how this works is a person telneting to a system and
then telneting from there to another. Only with a proxy server the
process is automatic. When you connect to a proxy server with your
client software, the proxy server starts it's client (proxy) software
and passes you the data.
Because proxy servers are duplicating all the communications they can
log every thing they do.
The great thing about proxy servers is that they are completely
secure, when configured correctly. They will not allow someone in
through them. There are no direct IP routes.
3. Setting up the Firewall
3.1. Hardware requirements
For our example, the computer is a 486-DX66 with 16 meg of memory and
a 500 meg Linux partition. This system has two network cards one
connected to our private LAN and the other connected to the a lan we
will call the de-militarized zone (DMZ). The DMZ has a router
connected to it with a connection to the internet.
This is a pretty standard setup for a business. You could use one
network card and a modem with PPP to the internet. The point is, the
firewall must have two IP network numbers.
I know a lot of people have small LANs at home with two or three
computers on them. Something you might consider is putting all your
modems in on Linux box (maybe an old 386) and connecting all of them
to the internet with load balancing. With this setup when only one
person was pulling data they would get both modems doubling the
throughput. :-)
4. Firewalling Software
4.1. Available packages
If all you want is a filtering firewall, you only need Linux and the
basic networking packages. One package that might not come with your
distribution is the IP Firewall Administration tool.
(IPFWADM) Comes from http://www.xos.nl/linux/ipfwadm/
If you want to setup a poxy server you will need one of these
packages.
1. SOCKS
2. TIS Firewall Toolkit (FWTK)
4.2. The TIS Firewall Toolkit vs SOCKS
Trusted Information System (http://www.tis.com) has put out a
collection of programs designed to facilitate firewalling. The
programs do basically the same thing as the SOCKS package, but with a
different design strategy. Where Socks has one program that covers
all Internet transactions, TIS has provided one program for each
utility that wishes to use the firewall.
To contrast the two, let's use the example of world wide web and
Telnet access. With SOCKS, you set up one configuration file and one
daemon. Through this file and daemon, both telnet and WWW are
enabled, as well as any other service that you have not disabled.
With the TIS toolkit, you set up one daemon for each WWW and telnet,
as well as configuration files for each. After you have done this,
other internet access is still prohibited until explicitly set up. If
a daemon for a specific utility has not been provided (like talk),
there is a "plug-in" daemon, but it is neither as flexible, nor as
easy to set up, as the other tools.
This might seem a minor, but it makes a major difference. SOCKS allows
you to be sloppy. With a poorly set up SOCKS server, someone from the
inside could gain more access to the internet than was originally
intended. With the TIS toolkit, the people on the inside have only
the access the system administrator wants them to have.
SOCKS is easier to set up, easier to compile and allows for greater
flexibility. The TIS toolkit is more secure if you want to regulate
the users inside the protected network. Both provide absolute
protection from the outside.
I will cover the installation and setup of both.
5. Preparing the Linux system
5.1. Compiling the Kernel
Start with a clean installation of your Linux distribution. (I used
RedHat 3.0.3 and the examples here are based on this distribution.)
The less software you have loaded the less holes, backdoors and/or
bugs there will be to introduce security problems in your system, so
load only a minimal set of applications.
Pick a stable kernel. I used the Linux 2.0.14 kernel for my system.
So this documentation is based on it's settings.
You well need to recompile the Linux kernel with the appropriate
options. At this point, you should look at the Kernel HOWTO, the
Ethernet HOWTO, and the NET-2 HOWTO if you haven't done this before.
Here are the network related setting I know work in 'make config'
1. Under General setup
a. Turn Networking Support ON
2. Under Networking Options
a. Turn Network firewalls ON
b. Turn TCP/IP Networking ON
c. Turn IP forwarding/gatewaying OFF (UNLESS you wish to use IP
filtering)
d. Turn IP Firewalling ON
e. Turn IP firewall packet loggin ON (this is not required but it
is a good idea)
f. Turn IP: masquerading OFF (I am not covering this subject here.)
g. Turn IP: accounting ON
h. Turn IP: tunneling OFF
i. Turn IP: aliasing OFF
j. Turn IP: PC/TCP compatibility mode OFF
k. Turn IP: Reverse ARP OFF
l. Turn Drop source routed frames ON
3. Under Network device support
a. Turn Network device support ON
b. Turn Dummy net driver support ON
c. Turn Ethernet (10 or 100Mbit) ON
d. Select your network card
Now you can recompile, reinstall the kernel and reboot. Your network
card/s should show up in the boot-up sequence. If not, go over the
other HOWTOs again until it is working.
5.2. Configuring two network cards
If you have two network cards in your computer, you most likely will
need to add an append statement to your /etc/lilo.conf file to
describe the IRQ and address of both cards. My lilo append statement
looks like this:
append="ether=12,0x300,eth0 ether=15,0x340,eth1"
5.3. Configuring the Network Addresses
This is the real interesting part. Now you have a few decisions to
make. Since we don't want the internet to have access to any part of
the private network, we do not need to use real addresses. There are
a number of internet addresses set aside for private networks. Because
everyone needs more addresses and because these addresses can not
cross the Internet they are a good choice.
Of these, 192.168.2.xxx, is set aside and we will use it in our
examples.
Your proxy firewall will be a member of both networks and so it can
pass the data through to and from the private network.
199.1.2.10 __________ 192.168.2.1
_ __ _ \ | | / _______________
| \/ \/ | \| Firewall |/ | |
/ Internet \--------| System |------------| Workstation/s |
\_/\_/\_/\_/ |__________| |_______________|
If your going to use a filtering firewall you can still use these
numbers. You will need to use IP masquerading to make this happen.
With this process the firewall will forward packets and translate them
into "REAL " " IP address to travel on the Internet.
You must assign the real IP address to the network card on the
Internet (out) side. And, assign 192.168.2.1 to the Ethernet card on
inside. This will be your proxy/gateway IP address. You can assign
all the other machines in the protected network some number in that
192.168.2.xxx range. (192.168.2.2 through 192.168.2.254)
Since I use RedHat Linux (Hey guys, want to give me a copy for the
plugs? ;-) to configure the network at boot time I added a 'ifcfg-
eth1' file in the /etc/sysconfig/network-scripts directory. This file
is read during the boot process to set your network and routing
tables.
Here is what my ifcfg-eth1 looks like;
#!/bin/sh
#>>>Device type: ethernet
#>>>Variable declarations:
DEVICE=eth1
IPADDR=192.168.2.1
NETMASK=255.255.255.0
NETWORK=192.168.2.0
BROADCAST=192.168.2.255
GATEWAY=199.1.2.10
ONBOOT=yes
#>>>End variable declarations
You can also use these scripts to automatically connect by modem to
your provider. Look at the ipup-ppp script.
If your going to use a modem for your internet connection your outside
IP address will be assigned for you by your provider at connect time.
5.4. Testing your network
Start by checking ifconfig and route. If you have two network cards
your ifconfig should look something like:
#ifconfig
lo Link encap:Local Loopback
inet addr:127.0.0.0 Bcast:127.255.255.255 Mask:255.0.0.0
UP BROADCAST LOOPBACK RUNNING MTU:3584 Metric:1
RX packets:1620 errors:0 dropped:0 overruns:0
TX packets:1620 errors:0 dropped:0 overruns:0
eth0 Link encap:10Mbps Ethernet HWaddr 00:00:09:85:AC:55
inet addr:199.1.2.10 Bcast:199.1.2.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0
TX packets:0 errors:0 dropped:0 overruns:0
Interrupt:12 Base address:0x310
eth1 Link encap:10Mbps Ethernet HWaddr 00:00:09:80:1E:D7
inet addr:192.168.2.1 Bcast:192.168.2.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0
TX packets:0 errors:0 dropped:0 overruns:0
Interrupt:15 Base address:0x350
and your route table sould look like:
#route -n
Kernel routing table
Destination Gateway Genmask Flags MSS Window Use Iface
199.1.2.0 * 255.255.255.0 U 1500 0 15 eth0
192.168.2.0 * 255.255.255.0 U 1500 0 0 eth1
127.0.0.0 * 255.0.0.0 U 3584 0 2 lo
default 199.1.2.10 * UG 1500 0 72 eth0
Note: 199.1.2.0 is the Internet side of this firewall and 192.168.2.0
is the private side.
Now try to ping the internet from the firewall. I used to use
nic.ddn.mil as my test point. It's still a good test, but has proven
to be less reliable than I had hoped. If it doesn't work at first,
try pinging a couple other places that are not connected to your LAN.
If this doesn't work, then your PPP is incorrectly setup. Reread the
Net-2 HOWTO, and try again.
Next, try pinging a host within the protected network from the
firewall. All the computers should be able to ping each other. If
not, go over the NET-2 HOWTO again and work on the network some more.
Then, try to ping the outside address of firewall from inside the
protected network. (NOTE: this is not any of the 192.168.2.xxx IP
numbers.) If you can, then you have not turned off IP Forwarding.
Make sure this is the way you want it. If you leave it turned on you
will have to go through the IP filtering section of this document as
well.
Now try pinging the internet from behind your firewall. Use the same
address that worked for you before. (I.E. nic.ddn.mil) Again, if you
have IP Forwarding turned off, this should not work. But, if you have
it turned on, it should.
If have IP Forwarding turned on and your using a "REAL" (not
192.168.2.*) IP address for your private network, and you can't ping
the internet but you can ping the internet side your firewall, check
if the next router up stream is routing packets for your private
network address. (Your provider may have to do this for you.)
If you have assigned your protected network to 192.168.2.*, then no
can packets can be routed to it anyway. If you have skipped ahead and
you already have IP masquerading turn on, this test should work.
Now, you have your basic system setup.
5.5. Securing the Firewall
A firewall isn't any good if it is left wide open to attacks through a
unused service. A "bad guy" could gain access to the firewall and
modify it for their own needs.
Start by turning off any unneeded services. Look at /etc/inetd.conf
file. This file controls what are called the "super server". It
controls a bunch of the server daemons and starts them as they are
requested.
Definitely turn off netstat, systat, tftp, bootp, and finger. To turn
a service off, put # as the first character of the service line. When
your done, send a SIG-HUP to the process by typing "kill -HUP <pid>",
where <pid> is the process number of inetd. This will make inetd re-
read its configuration file (inetd.conf) and restart.
Test it out by telneting to port 15 on firewall, the netstat port. If
you get an output of netstat, you have not restarted it correctly.
6. IP filtering setup (IPFWADM)
To start, you should have IP Forwarding turned on in your kernel and
your system should be up and forwarding everything you send it. Your
routing tables should be in place and you should be able to access
everything, both from the inside out and from the outside in.
But, we're building a firewall so we need to start chocking down what
everyone has access to.
In my system I created a couple of scripts to set the firewall
forwarding policy and accounting policy. I call theses scripts from
the /etc/rc.d scripts so my system is configured at boot time.
By default the IP Forwarding system in the Linux kernel forwards
everything. Because of this, your firewall script should start by
denying access to everything and flushing any ipfw rules in place from
the last time it was run. This script will do the trick.
#
# setup IP packet Accounting and Forwarding
#
# Forwarding
#
# By default DENY all services
ipfwadm -F -p deny
# Flush all commands
ipfwadm -F -f
ipfwadm -I -f
ipfwadm -O -f
Now we have the ultimate firewall. Nothing can get through. No doubt
you have some services you need to forward so here are a few examples
you should find useful.
# Forward email to your server
ipfwadm -F -a accept -b -P tcp -S 0.0.0.0/0 1024:65535 -D 192.1.2.10 25
# Forward email connections to outside email servers
ipfwadm -F -a accept -b -P tcp -S 196.1.2.10 25 -D 0.0.0.0/0 1024:65535
# Forward Web connections to your Web Server
/sbin/ipfwadm -F -a accept -b -P tcp -S 0.0.0.0/0 1024:65535 -D 196.1.2.11 80
# Forward Web connections to outside Web Server
/sbin/ipfwadm -F -a accept -b -P tcp -S 196.1.2.* 80 -D 0.0.0.0/0 1024:65535
# Forward DNS traffic
/sbin/ipfwadm -F -a accept -b -P udp -S 0.0.0.0/0 53 -D 196.1.2.0/24
You might also be interested in accounting for traffic going through
your firewall. This script will count ever packet. You could add a
line or to to account for packets going to just a single system.
# Flush the current accounting rules
ipfwadm -A -f
# Accounting
/sbin/ipfwadm -A -f
/sbin/ipfwadm -A out -i -S 196.1.2.0/24 -D 0.0.0.0/0
/sbin/ipfwadm -A out -i -S 0.0.0.0/0 -D 196.1.2.0/24
/sbin/ipfwadm -A in -i -S 196.1.2.0/24 -D 0.0.0.0/0
/sbin/ipfwadm -A in -i -S 0.0.0.0/0 -D 196.1.2.0/24
If all you wanted was a filtering firewall you can stop here. Enjoy
:-)
7. Installing the TIS Proxy server
7.1. Getting the software
The TIS FWTK is avaible at ftp://ftp.tis.com/.
Don't make the mistake I did. When you ftp files from TIS, READ THE
README's. The TIS fwtk is locked up in a hidden directory on their
server. TIS requires you send email to fwtk-request@tis.com with only
the word SEND in the body of the message to learn the name of this
hidden directory. No subject is needed in the message. Their system
will then mails you back the directory name (good for 12 hours) to
download the source.
As I'm writing this TIS is releasing version 2.0 (beta) of the FWTK.
This version seems to compile well (with a few exceptions) and
everything is working for me. This is the version I will be covering
here. When they release the final code I'll update the HOWTO.
To install the FWTK, create a fwtk-2.0 directory in your /usr/src
directory. Move your copy of the FWTK (fwtk-2.0.tar.gz) to your this
directory and untar it (tar zxf fwtk-2.0.tar.gz).
The FWTK does not proxy SSL web documents but there is an addon for it
written by Jean-Christophe Touvet. It is avaible at
ftp://ftp.edelweb.fr/pub/contrib/fwtk/ssl-gw.tar.Z. Touvet does not
support this code.
I am using a modified version that includes access to Netscape secure
news servers written by Eric Wedel. It is available at
ftp://mdi.meridian-data.com/pub/tis.fwtk/ssl-gw/ssl-gw2.tar.Z.
In our example I will use Eric Wedel's version.
To install it, simply create a ssl-gw directory in your
/usr/src/fwtk-2.0 directory and put the files in it.
When I installed this gateway it required a few changes before it
would compile with the rest of the toolkit.
The first change was to the ssl-gw.c file. I found it didn't include a
needed include file.
#if defined(__linux)
#include <sys/ioctl.h>
#endif
Second it didn't come with a Makefile. I copied one out of the other
gateway directories and replaced the gateway's name with ssl-gw.
7.2. Compiling the TIS FWTK
Version 2.0 of the FWTK compiles much easier then any of the older
versions. I still found a couple of things that needed to be changed
before the BETA version would compile cleanly. Hopefully these changes
will be make in the final version.
To fix it up, start by changing to the /usr/src/fwtk/fwtk directory
and coping the Makefile.config.linux file over the Makefile.config
file.
DON'T RUN FIXMAKE. The instructions tell you to run this. If you do it
will break the makefiles in each directory.
I do have a fix for fixmake. The problem is the sed script add a '.'
and '' to the include line of ever Makefile. This sed script works.
sed 's/^include[ ]*\([^ ].*\)/include \1/' $name .proto > $name
Next we need to edit the Makefile.config file. There are two changes
you may need to make.
The author set the source directory to his home directory. We are
compiling our code in /usr/src so you should changed the FWTKSRCDIR
variable to reflect this.
FWTKSRCDIR=/usr/src/fwtk/fwtk
Second, at least some Linux system us the gdbm database. The
Makefile.config is using dbm. You might need to change this. I had to
for RedHat 3.0.3.
DBMLIB=-lgdbm
The last fix is in the x-gw. The bug in the BETA version is in the
socket.c code. To fix it remove these lines of code.
#ifdef SCM_RIGHTS /* 4.3BSD Reno and later */
+ sizeof(un_name->sun_len) + 1
#endif
If you added the ssl-gw to your FWTK source directory you will need to
add it to the list of directory in the Makefile.
DIRS= smap smapd netacl plug-gw ftp-gw tn-gw rlogin-gw http-gw x-gw ssl-gw
Now run make.
7.3. Installing the TIS FWTK
Run make install.
The default installation directory is /usr/local/etc. You could change
this (I didn't) to a more secure directory. I chose to change the
access to this directory to 'chmod 700'.
All last is left now is to configure the firewall.
7.4. Configuring the TIS FWTK
Now the fun realy begins. We must teach the system to call theses new
services and create the tables to control them.
I'm not going to try to re-write the TIS FWTK manual here. I will show
you the setting I found worked and explain the problems I ran into and
how I got around them.
There are three files that make up these controls.
· /etc/services
· Tells the system what ports a services is on.
· /etc/inetd.conf
· Tells inetd what program to call when someone knocks on a service
port.
· /usr/local/etc/netperm-table
· Tells the FWTK services who to allow and deny service to.
To get the FWTK functioning, you should edit these files from the
bottom up. Editing the services file without the inetd.conf or
netperm-table file set correctly could make your system inaccessible.
7.4.1. The netperm-table file
This file controls who can access the services of the TIS FWTK. You
should think about the traffic using the firewall from both sides.
People outside your network should identify themselves before gaining
access, but the people inside your network might be allowed to just
pass through.
So people can identify themselves, the firewall uses a program called
authsrv to keep a database of user IDs and passwords. The
authentication section of the netperm-table controls where the
database is keep and who can access it.
I had some trouble closing the access to this service. Note the
premit-hosts line I show uses a '*' to give everyone access. The
correct setting for this line is '' authsrv: premit-hosts localhost if
you can get it working.
#
# Proxy configuration table
#
# Authentication server and client rules
authsrv: database /usr/local/etc/fw-authdb
authsrv: permit-hosts *
authsrv: badsleep 1200
authsrv: nobogus true
# Client Applications using the Authentication server
*: authserver 127.0.0.1 114
To initialize the database, su to root, and run ./authsrv in the
/var/local/etc directory to create the administrative user record.
Here is a sample session.
Read the FWTK documentation to learn how to add users and groups.
#
# authsrv
authsrv# list
authsrv# adduser admin "Auth DB admin"
ok - user added initially disabled
authsrv# ena admin
enabled
authsrv# proto admin pass
changed
authsrv# pass admin "plugh"
Password changed.
authsrv# superwiz admin
set wizard
authsrv# list
Report for users in database
user group longname ok? proto last
------ ------ ------------------ ----- ------ -----
admin Auth DB admin ena passw never
authsrv# display admin
Report for user admin (Auth DB admin)
Authentication protocol: password
Flags: WIZARD
authsrv# ^D
EOT
#
The telnet gateway (tn-gw) controls are straight forward and the first
you should set up.
In my example, I premit host from inside the private network to pass
through without authenticating themselves. (permit-hosts 19961.2.*
-passok) But, any other user must enter their user ID and password to
use the proxy. (permit-hosts * -auth)
I also allow one other system (196.1.2.202) to access the firewall
directly without going through the firewall at all. The two inetacl-
in.telnetd lines do this. I will explain how these lines are called
latter.
The Telnet timeout should be keep short.
# telnet gateway rules:
tn-gw: denial-msg /usr/local/etc/tn-deny.txt
tn-gw: welcome-msg /usr/local/etc/tn-welcome.txt
tn-gw: help-msg /usr/local/etc/tn-help.txt
tn-gw: timeout 90
tn-gw: permit-hosts 196.1.2.* -passok -xok
tn-gw: permit-hosts * -auth
# Only the Administrator can telnet directly to the Firewall via Port 24
netacl-in.telnetd: permit-hosts 196.1.2.202 -exec /usr/sbin/in.telnetd
The r-commands work the same way as telnet.
# rlogin gateway rules:
rlogin-gw: denial-msg /usr/local/etc/rlogin-deny.txt
rlogin-gw: welcome-msg /usr/local/etc/rlogin-welcome.txt
rlogin-gw: help-msg /usr/local/etc/rlogin-help.txt
rlogin-gw: timeout 90
rlogin-gw: permit-hosts 196.1.2.* -passok -xok
rlogin-gw: permit-hosts * -auth -xok
# Only the Administrator can telnet directly to the Firewall via Port
netacl-rlogind: permit-hosts 196.1.2.202 -exec /usr/libexec/rlogind -a
You shouldn't have anyone accessing your firewall directly and that
includes FTP so don't put an FTP, server on you firewall.
Again, the permit-hosts line allows anyone in the protected network
free access to the Internet and all others must authenticate
themselves. I included logging of every file sent and received to my
controls. (-log { retr stor })
The ftp timeout controls how long it will take to drop a bad
connections as well as how long a connection will stay open with out
activity.
# ftp gateway rules:
ftp-gw: denial-msg /usr/local/etc/ftp-deny.txt
ftp-gw: welcome-msg /usr/local/etc/ftp-welcome.txt
ftp-gw: help-msg /usr/local/etc/ftp-help.txt
ftp-gw: timeout 300
ftp-gw: permit-hosts 196.1.2.* -log { retr stor }
ftp-gw: permit-hosts * -authall -log { retr stor }
Web, gopher and browser based ftp are contorted by the http-gw. The
first two lines create a directory to store ftp and web documents as
they are passing through the firewall. I make these files owned by
root and put the in a directory accessible only by root.
The Web connection should be kept short. It controls how long the user
will wait on a bad connections.
# www and gopher gateway rules:
http-gw: userid root
http-gw: directory /jail
http-gw: timeout 90
http-gw: default-httpd www.afs.net
http-gw: hosts 196.1.2.* -log { read write ftp }
http-gw: deny-hosts *
The ssl-gw is really just a pass anything gateway. Be carefull with
it. In this example I allow anyone inside the protected network to
connect to any server outside the network except the addresses
127.0.0.* and 192.1.1.* and then only on ports 443 through 563. Ports
443 through 563 are known SSL ports.
# ssl gateway rules:
ssl-gw: timeout 300
ssl-gw: hosts 196.1.2.* -dest { !127.0.0.* !192.1.1.* *:443:563 }
ssl-gw: deny-hosts *
Here is an example of how to use the plug-gw to allow connections to a
news server. In this example I allow anyone inside the protected
network to connect to only one system and only to it's news port.
The seconded line allows the news server to pass its data back to the
protected network.
Because most clients expect to stay connected while the user read
news, the timeout for a news server should be long.
# NetNews Pluged gateway
plug-gw: timeout 3600
plug-gw: port nntp 196.1.2.* -plug-to 199.5.175.22 -port nntp
plug-gw: port nntp 199.5.175.22 -plug-to 196.1.2.* -port nntp
The finger gateway is simple. Anyone inside the protected network must
login first and then we allow them to use the finger program on the
firewall. Anyone else just gets a message.
# Enable finger service
netacl-fingerd: permit-hosts 196.1.2.* -exec /usr/libexec/fingerd
netacl-fingerd: permit-hosts * -exec /bin/cat /usr/local/etc/finger.txt
I haven't setup the Mail and X-windows services so I'm not including
examples. If anyone has a working example, please send me email.
7.4.2. The inetd.conf file
Here is a complete /etc/inetd.conf file. All un-needed services have
been commented out. I have included the complete file to show what to
turn off, as well as how to setup the new firewall services.
#echo stream tcp nowait root internal
#echo dgram udp wait root internal
#discard stream tcp nowait root internal
#discard dgram udp wait root internal
#daytime stream tcp nowait root internal
#daytime dgram udp wait root internal
#chargen stream tcp nowait root internal
#chargen dgram udp wait root internal
# FTP firewall gateway
ftp-gw stream tcp nowait.400 root /usr/local/etc/ftp-gw ftp-gw
# Telnet firewall gateway
telnet stream tcp nowait root /usr/local/etc/tn-gw /usr/local/etc/tn-gw
# local telnet services
telnet-a stream tcp nowait root /usr/local/etc/netacl in.telnetd
# Gopher firewall gateway
gopher stream tcp nowait.400 root /usr/local/etc/http-gw /usr/local/etc/http-gw
# WWW firewall gateway
http stream tcp nowait.400 root /usr/local/etc/http-gw /usr/local/etc/http-gw
# SSL firewall gateway
ssl-gw stream tcp nowait root /usr/local/etc/ssl-gw ssl-gw
# NetNews firewall proxy (using plug-gw)
nntp stream tcp nowait root /usr/local/etc/plug-gw plug-gw nntp
#nntp stream tcp nowait root /usr/sbin/tcpd in.nntpd
# SMTP (email) firewall gateway
#smtp stream tcp nowait root /usr/local/etc/smap smap
#
# Shell, login, exec and talk are BSD protocols.
#
#shell stream tcp nowait root /usr/sbin/tcpd in.rshd
#login stream tcp nowait root /usr/sbin/tcpd in.rlogind
#exec stream tcp nowait root /usr/sbin/tcpd in.rexecd
#talk dgram udp wait root /usr/sbin/tcpd in.talkd
#ntalk dgram udp wait root /usr/sbin/tcpd in.ntalkd
#dtalk stream tcp waut nobody /usr/sbin/tcpd in.dtalkd
#
# Pop and imap mail services et al
#
#pop-2 stream tcp nowait root /usr/sbin/tcpd ipop2d
#pop-3 stream tcp nowait root /usr/sbin/tcpd ipop3d
#imap stream tcp nowait root /usr/sbin/tcpd imapd
#
# The Internet UUCP service.
#
#uucp stream tcp nowait uucp /usr/sbin/tcpd /usr/lib/uucp/uucico -l
#
# Tftp service is provided primarily for booting. Most sites
# run this only on machines acting as "boot servers." Do not uncomment
# this unless you *need* it.
#
#tftp dgram udp wait root /usr/sbin/tcpd in.tftpd
#bootps dgram udp wait root /usr/sbin/tcpd bootpd
#
# Finger, systat and netstat give out user information which may be
# valuable to potential "system crackers." Many sites choose to disable
# some or all of these services to improve security.
#
# cfinger is for GNU finger, which is currently not in use in RHS Linux
#
finger stream tcp nowait root /usr/sbin/tcpd in.fingerd
#cfinger stream tcp nowait root /usr/sbin/tcpd in.cfingerd
#systat stream tcp nowait guest /usr/sbin/tcpd /bin/ps -auwwx
#netstat stream tcp nowait guest /usr/sbin/tcpd /bin/netstat -f inet
#
# Time service is used for clock syncronization.
#
#time stream tcp nowait root /usr/sbin/tcpd in.timed
#time dgram udp wait root /usr/sbin/tcpd in.timed
#
# Authentication
#
auth stream tcp wait root /usr/sbin/tcpd in.identd -w -t120
authsrv stream tcp nowait root /usr/local/etc/authsrv authsrv
#
# End of inetd.conf
7.4.3. The /etc/services file
This is where it all begins. When a client connects to the firewall it
connects on a known port (less then 1024). For example telnet
connects on port 23. The inetd deamon hears this connection and looks
up the name of these service in the /etc/services file. It then calls
the program assigned to the name in the /etc/inetd.conf file.
Some of the services we are creating are not normally in the
/etc/services file. You can assign some of them to any port you want.
For example, I have assigned the administrator's telnet port (telnet-
a) to port 24. You could assign it to port 2323 if you wished. For
the administrator (YOU) to connect directly to the firewall you will
need to telnet to port 24 not 23 and if you setup your netperm-table
file, like I did, you will only be able to to this from one system
inside your protected network.
telnet-a 24/tcp
ftp-gw 21/tcp # this named changed
auth 113/tcp ident # User Verification
ssl-gw 443/tcp
8. The SOCKS Proxy Server
8.1. Setting up the Proxy Server
The SOCKS proxy server available from
ftp://sunsite.unc.edu/pub/Linux/system/Network/misc/socks-linux-
src.tgz. There is also an example config file in that directory
called "socks-conf". Uncompress and untar the files into a directory
on your system, and follow the instructions on how to make it. I had
a couple problems when I made it. Make sure that your Makefiles are
correct.
One important thing to note is that the proxy server needs to be added
to /etc/inetd.conf. You must add a line:
socks stream tcp nowait nobody /usr/local/etc/sockd sockd
to tell the server to run when requested.
8.2. Configuring the Proxy Server
The SOCKS program needs two separate configuration files. One to tell
the access allowed, and one to route the requests to the appropriate
proxy server. The access file should be housed on the server. The
routing file should be housed on every Un*x machine. The DOS and,
presumably, Macintosh computers will do their own routing.
8.2.1. The Access File
With socks4.2 Beta, the access file is called "sockd.conf". It should
contain 2 lines, a permit and a deny line. Each line will have three
entries:
· The Identifier (permit/deny)
· The IP address
· The address modifier
The identifier is either permit or deny. You should have both a
permit and a deny line.
The IP address holds a four byte address in typical IP dot notation.
I.E. 192.168.2.0.
The address modifier is also a typical IP address four byte number.
It works like a netmask. Envision this number to be 32 bits (1s or
0s). If the bit is a 1, the corresponding bit of the address that it
is checking must match the corresponding bit in the IP address field.
For instance, if the line is:
permit 192.168.2.23 255.255.255.255
it will permit only the IP address that matches every bit in
192.168.2.23, eg, only 192.168.2.3. The line:
permit 192.168.2.0 255.255.255.0
will permit every number within group 192.168.2.0 through
192.168.2.255, the whole C Class domain. One should not have the
line:
permit 192.168.2.0 0.0.0.0
as this will permit every address, regardless.
So, first permit every address you want to permit, and then deny the
rest. To allow everyone in the domain 192.168.2.xxx, the lines:
permit 192.168.2.0 255.255.255.0
deny 0.0.0.0 0.0.0.0
will work nicely. Notice the first "0.0.0.0" in the deny line. With
a modifier of 0.0.0.0, the IP address field does not matter. All 0's
is the norm because it is easy to type.
More than one entry of each is allowed.
Specific users can also be granted or denied access. This is done via
ident authentication. Not all systems support ident, including
Trumpet Winsock, so I will not go into it here. The documentation
with socks is quite adequate on this subject.
8.2.2. The Routing File
The routing file in SOCKS is poorly named "socks.conf". I say "poorly
named" because it is so close to the name of the access file that it
is easy to get the two confused.
The routing file is there to tell the SOCKS clients when to use socks
and when not to. For instance, in our network, 192.168.2.3 will not
need to use socks to talk with 192.168.2.1, firewall. It has a direct
connection in via Ethernet. It defines 127.0.0.1, the loopback,
automatically. Of course you do not need SOCKS to talk to yourself.
There are three entries:
· deny
· direct
· sockd
Deny tells SOCKS when to reject a request. This entry has the same
three fields as in sockd.conf, identifier, address and modifier.
Generally, since this is also handled by sockd.conf, the access file,
the modifier field is set to 0.0.0.0. If you want to preclude
yourself from calling any place, you can do it here.
The direct entry tells which addresses to not use socks for. These
are all the addresses that can be reached without the proxy server.
Again we have the three fields, identifier, address and modifier. Our
example would have
direct 192.168.2.0 255.255.255.0
Thus going direct for any on our protected network.
The sockd entry tells the computer which host has the socks server
daemon on it. The syntax is:
sockd @=<serverlist> <IP address> <modifier>
Notice the @= entry. This allows you to set the IP addresses of a
list of proxy servers. In our example, we only use one proxy server.
But, you can have many to allow a greater load and for redundancy in
case of failure.
The IP address and modifier fields work just like in the other
examples. You specify which addresses go where through these. 6.2.3.
DNS from behind a Firewall
Setting up Domain Name service from behind a firewall is a relatively
simple task. You need merely to set up the DNS on the firewalling
machine. Then, set each machine behind the firewall to use this DNS.
8.3. Working With a Proxy Server
8.3.1. Unix
To have your applications work with the proxy server, they need to be
"sockified". You will need two different telnets, one for direct
communication, one for communication via the proxy server. SOCKS
comes with instructions on how to SOCKify a program, as well as a
couple pre-SOCKified programs. If you use the SOCKified version to go
somewhere direct, SOCKS will automatically switch over to the direct
version for you. Because of this, we want to rename all the programs
on our protected network and replace them with the SOCKified programs.
"Finger" becomes "finger.orig", "telnet" becomes "telnet.orig", etc.
You must tell SOCKS about each of these via the include/socks.h file.
Certain programs will handle routing and sockifying itself. Netscape
is one of these. You can use a proxy server under Netscape by
entering the server's address (192.168.2.1 in our case) in the SOCKs
field under Proxies. Each application will need at least a little
messing with, regardless of how it handles a proxy server.
8.3.2. MS Windows with Trumpet Winsock
Trumpet Winsock comes with built in proxy server capabilities. In the
"setup" menu, enter the IP address of the server, and the addresses of
all the computers reachable directly. Trumpet will then handle all
outgoing packets.
8.3.3. Getting the Proxy Server to work with UDP Packets
The SOCKS package works only with TCP packets, not UDP. This makes it
quite a bit less useful. Many useful programs, such as talk and
Archie, use UDP. There is a package designed to be used as a proxy
server for UDP packets called UDPrelay, by Tom Fitzgerald
<fitz@wang.com>. Unfortunately, at the time of this writing, it is
not compatible with Linux.
8.4. Drawbacks with Proxy Servers
The proxy server is, above all, a security device. Using it to
increase internet access with limited IP addresses will have many
drawbacks. A proxy server will allow greater access from inside the
protected network to the outside, but will keep the inside completely
unaccessible from the outside. This means no servers, talk or archie
connections, or direct mailing to the inside computers. These
drawbacks might seem slight, but think of it this way:
· You have left a report you are doing on your computer inside a
firewall protected network. You are at home, and decide that you
would like to go over it. You can not. You can not reach your
computer because it is behind the firewall. You try to log into
firewall first, but since everyone has proxy server access, no one
has set up an account for you on it.
· Your daughter goes to college. You want to email her. You have
some private things to talk about, and would rather have your mail
sent directly to your machine. You trust your systems
administrator completely, but still, this is private mail.
· The inability to use UDP packets represents a big drawback with the
proxy servers. I imagine UDP capabilities will be coming shortly.
FTP causes another problem with a proxy server. When getting or doing
an ls, the FTP server opens a socket on the client machine and sends
the information through it. A proxy server will not allow this, so
FTP doesn't particularly work.
And, proxy servers run slow. Because of the greater overhead, almost
any other means of getting this access will be faster.
Basically, if you have the IP addresses, and you are not worried about
security, do not use a firewall and/or proxy servers. If you do not
have the IP addresses, but you are also not worried about security,
you might also want to look into using an IP emulator, like Term,
Slirp or TIA. Term is available from ftp://sunsite.unc.edu, Slirp is
available from ftp://blitzen.canberra.edu.au/pub/slirp, and TIA is
available from marketplace.com. These packages will run faster, allow
better connections, and provide a greater level of access to the
inside network from the internet. Proxy servers are good for those
networks which have a lot of hosts that will want to connect to the
internet on the fly, with one setup and little work after that.
9. Advanced Configurations
There is one configuration I would like to go over before wrapping
this document up. The one I have just outlined will probably suffice
for most people. However, I think the next outline will show a more
advanced configuration that can clear up some questions. If you have
questions beyond what I have just covered, or are just interested in
the versatility of proxy servers and firewalls, read on.
9.1. A large network with emphasis on security
Say, for instance, you are the leader of millisha and you wish to
network your site. You have 50 computers and a subnet of 32 (5 bits)
IP numbers. You need various levels of access within your network
because you tell your followers different things. Therefore, you'll
need to protect certain parts of the network from the rest.
The levels are:
1. The external level. This is the level that gets shown to
everybody. This is where you rant and rave to get new volunteers.
2. Troop This is the level of people who have gotten beyond the
external level. Here is where you teach them about the evail
goverment and how to make bombs.
3. Mercenary Here is where the real plans are keep. In this level is
stored all the information on how the 3rd world goverment is going
to take over the world, your plans involving Newt Gingrich,
Oklahoma City, lown care products and what realy is stored in that
hangers at area 51.
9.1.1. The Network Setup
The IP numbers are arranged as:
· 1 number is 192.168.2.255, which is the broadcast address and is
not usable.
· 23 of the 32 IP addresses are allocated to 23 machines that will be
accessible to the internet.
· 1 extra IP goes to a linux box on that network
· 1 extra goes to a different linux box on that network.
· 2 IP #'s go to the router
· 4 are left over, but given domain names paul, ringo, john, and
george, just to confuse things a bit.
· The protected networks both have the addresses 192.168.2.xxx
Then, two separate networks are built, each in different rooms. They
are routed via infrared Ethernet so that they are completely invisible
to the outside room. Luckily, infrared ethernet works just like
normal ethernet.
These networks are each connected to one of the linux boxes with an
extra IP address.
There is a file server connecting the two protected networks. This is
because the plans for taking over the world involves some of the
higher Troops. The file server holds the address 192.168.2.17 for the
Troop network and 192.168.2.23 for the Mercenary network. It has to
have different IP addresses because it has to have different Ethernet
cards. IP Forwarding on it is turned off.
IP Forwarding on both Linux boxes is also turned off. The router will
not forward packets destined for 192.168.2.xxx unless explicitly told
to do so, so the internet will not be able to get in. The reason for
turning off IP Forwarding here is so that packets from the Troop's
network will not be able to reach the Mercenary network, and vica
versa.
The NFS server can also be set to offer different files to the
different networks. This can come in handy, and a little trickery
with symbolic links can make it so that the common files can be shared
with all. Using this setup and another ethernet card can offer this
one file server for all three networks.
9.1.2. The Proxy Setup
Now, since all three levels want to be able to monitor the network for
their own devious purposes, all three need to have net access. The
external network is connected directly into the internet, so we don't
have to mess with proxy servers here. The Mercenary and Troop
networks are behind firewalls, so it is necessary to set up proxy
servers here.
Both networks will be setup very similarly. They both have the same
IP addresses assigned to them. I will throw in a couple of
parameters, just to make things more interesting though.
1. No one can use the file server for internet access. This exposes
the file server to viruses and other nasty things, and it is rather
important, so its off limits.
2. We will not allow troop access to the World Wide Web. They are in
training, and this kind of information retrieval power might prove
to be damaging.
So, the sockd.conf file on the Troop's linux box will have this line:
deny 192.168.2.17 255.255.255.255
and on the Mercenary machine:
deny 192.168.2.23 255.255.255.255
And, the Troop's linux box will have this line
deny 0.0.0.0 0.0.0.0 eq 80
This says to deny access to all machines trying to access the port
equal (eq) to 80, the http port. This will still allow all other
services, just deny Web access.
Then, both files will have:
permit 192.168.2.0 255.255.255.0
to allow all the computers on the 192.168.2.xxx network to use this
proxy server except for those that have already been denied (ie. the
file server and Web access from the Troop network).
The Troop's sockd.conf file will look like:
deny 192.168.2.17 255.255.255.255
deny 0.0.0.0 0.0.0.0 eq 80
permit 192.168.2.0 255.255.255.0
and the Mercenary file will look like:
deny 192.168.2.23 255.255.255.255
permit 192.168.2.0 255.255.255.0
This should configure everything correctly. Each network is isolated
accordingly, with the proper amount of interaction. Everyone should
be happy.
Now, take over the world!
[UP home]
Maintained: 16 April 1997